Considering IPv6 support in Windows 7 shops

Internet Protocol version 4 addresses will soon be exhausted, so organizations with Windows 7 PCs will need to consider adding support for the new IPv6 addresses.

Modern Windows operating systems -- such as Windows Vista and Windows 7 on the desktop and Windows Server 2008

R2 -- are sometimes designated as "IPv6-ready." IT administrators might think that they can plug these systems in, turn them on and watch them run Internet Protocol Version 6 seamlessly, but they'd be only partially correct.

IPv4 addresses will be completely exhausted in coming months; the last batch was handed out to various regional Internet registries in April 2011. Many organizations are thinking about adding support for 128-bit IPv6 addressing. Enterprises shouldn't have to worry about running out of addresses again with a typical public IPv6 network address grant of a /64 block because 264 is just under 1.85 * 1019, or about 4 billion times as many addresses as found in the entire IPv4 address space.

IPv6-ready OSes can use IPv6 to talk to one another, primarily for Windows HomeGroups on non-Active Directory networks and to support the new DirectAccess IPv6 and IPsec-based virtual private network (VPN) technology. But some gotchas have to be addressed before Windows 7 (and Vista) plays nicely on IPv6-enabled corporate networks.

Should you move to DHCPv6?
Strictly speaking, Dynamic Host Configuration Protocol (DHCP) isn't really needed for IPv6 addressing. IPv6 network nodes are perfectly capable of addressing themselves, so to speak, if network administrators are content to let them do it on their own. But many network admins have grown accustomed to working with DHCP, and they often like to specify address formats or blocks to separate devices by location, organizational units, class (such as switches, routers and servers) or whatever method makes sense to them.

These same admins are likely to take comfort from learning that DHCPv6 is alive and readily available. Windows Server 2008 (and the R2 variant) supports it directly, as do many network appliances and even some open-source offerings. On my own networks -- including an IPv6 test lab collocated in Fremont, Calif. -- I use the redoubtable Fortinet FortiGate 80C's built-in DHCPv6 server. A search at Sourceforge.net lists eight different DHCPv6 variants, at least half of which run on Windows.

Many network admins will keep using DHCP for IPv6 because they have already developed policies and procedures for working with it on IPv4. They'll need to find a version of DHCP to use and become familiar with its interface and operation. Those already familiar with DHCP for IPv4 won't have much of a learning curve to climb, but some effort will be required.

If not DHCPv6, then what?
IPv6 offers numerous methods for auto-addressing, where network nodes figure out their own addresses as they come up on the network during startup or following address /release and /renew operations. Here is one Windows 7 gotcha. The default method for auto-addressing in IPv6 relies on the neighbor discovery protocol (NDP). Network nodes send out inquiries about IPv6 addresses already in use on their cable segments, virtual LANs or broadcast domains and then use the information received in response to craft their own network addresses to be consistent.

But there's another method that IPv6 can use, known as "identifier randomization." Basically, network nodes choose an interface address at random and keep it if subsequent collision testing detects that the chosen address is not already in use. Although Microsoft engineers actually helped to develop the NDP specification, Windows 7 uses identifier randomization for IPv6 auto-addressing by default instead of NDP.

This works fine on all Windows networks. But since very few networks use only Windows -- especially on switches, routers, firewalls, appliances and other infrastructure elements -- this can cause mismatches and unwanted behaviors on most networks. Fortunately, there's an easy fix: A single network shell (netsh) command will turn off identifier randomization, and call NDP-based auto-addressing into service instead:

            netsh interface ipv6 set global randomizeidentifiers=disabled

DNS gets a new resource record: AAAA
There isn't really a Domain Name System (DNS) v6 per se, so no separate service is needed for IPv6 name resolution. Instead, systems need an update or configuration change to whatever version of DNS is already in use to add support for an IPv6 address resource record. It's called an "AAAA record" to distinguish itself from the IPv4 A record (and because 4 * 32 = 128, where 32 is the number of bits in an IPv4 address, and 128 the number of bits in an IPv6 address, there's a rough and ready humor to this designation).

All of the major DNS service implementations -- such as BIND, Microsoft DNS, Unbound and NSD -- already support AAAA records and, by extension, IPv6 name resolution. But an organization must enable and configure this capability to work on its DNS servers. Here again, IT pros already familiar with DNS will not find it too difficult to add IPv6 name resolution, reverse lookups and so on to their DNS service offerings.

A mixed grab bag: Getting applications ready
The difficulty of adding IPv6 capabilities to apps and services will vary. For example, in most cases, current versions of email and Web services software already support IPv6, but it must usually be turned on or enabled. Then, IT must configure and test the apps carefully in a pilot or test lab situation before allowing it to go into production. In some cases, older code may need to be updated or perhaps even replaced or scrapped because of missing IPv6 support.

Admins saddled with the seemingly contradictory tasks of maintaining mission-critical legacy applications that will never, ever support IPv6 and the simultaneous move to IPv6 networking should investigate devices like the Datatek Transformer. This is basically a protocol translation device that enables a single IPv4 server to be plugged into one side, a link into an IPv6 backbone or distribution network on the other, and it bridges the two worlds. At present, only a two-port version (one IPv6, the other IPv4) is available, but Datatek has a photo of a multiport "protocol gateway" on its website.

Windows 7 can make the jump to IPv6
As you get more familiar with IPv6 and begin to build out a matching network infrastructure, you'll discover that Windows 7 generally does a good job of supporting this newest version of IP and the changes it brings. For access to copious technical details and information on working with IPv6 in Windows 7 -- and various server versions -- be sure to search for IPv6 topics on MSDN and TechNet. If nothing else, you'll find several years' worth of reading to occupy yourself with on these subjects.

ABOUT THE AUTHOR:
Ed Tittel
is a longtime computer industry writer with over 100 computer books and thousands of articles to his credit. His most recent security book is UTM for Dummies (Wiley, 2011, ISBN-13: 978-1118087015, not yet printed). Read his IT Career JumpStart and Windows Enterprise Desktop blogs for TechTarget, too.

This was first published in October 2011

Dig deeper on Microsoft Windows 7 operating system

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close